Reports of large-scale data breaches are commonly in the news—a watch
list of sorts has begun over the Health and Human Services Web site
that tracks them.
HHS, however, also receives reports of breaches involving fewer than
500 individuals. The department is not required to report these data
publicly, but a glimpse of the totals occurred in paperwork related to
the federal 2012 budget.
In a written justification of its 2012 budget request, the Office for
Civil Rights reports that as of September 30, 2010, it had received
9,109 reports of breaches affecting fewer than 500 individuals. That
represents one complete year of reports—an average of 25 reports per
day.
The Back Story on Breach Reporting
Breach reporting is a provision of the HITECH Act, which modified
HIPAA to require that covered entities report breaches of unsecured
protected health information to HHS. Breaches involving 500 or more
people must be reported within 60 days of their discovery. HITECH
directs HHS to publish these reports on its Web site. (It also
requires covered entities to notify the affected individuals and the
major media in the region.)
Covered entities must report breaches affecting fewer than 500
individuals annually, within 60 days of the end of the calendar year
in which the breaches occurred. HHS is not required to publish these
reports; HITECH only stipulates that the department compile them for
annual reporting to several Congressional committees.
OCR mentions the reports only in connection with its 2012 budget
request. The office, which is responsible for enforcing the HIPAA
privacy rule, is requesting additional money for investigations. A
current lack of resources has prevented it from investigating reports
of breaches affecting fewer than 500 individuals. These reports “are
treated as discretionary,” OCR writes, “and only investigated as
resources permit.”
In sheer number, the reports of “small” breaches swamp those of the
much-publicized large breaches. As of September 30, 2010, covered
entities had reported fewer than 200 breaches affecting 500 or more
individuals. However, OCR does not mention how many individuals were
affected in the small breaches, so it is not possible to compare the
impact.
The 9,109 reports also dwarf the expected number of breaches that OCR
put forth in its 2009 interim final rule enacting the HITECH
modifications. Using information from datalossdb.org, OCR had
projected 106 breach reports annually (50 involving fewer than 500
individuals), a number it admitted was a best-guess estimate given the
lack of comprehensive historical information.
No comments:
Post a Comment